Blog - article

DPI goes blind as encryption adoption increases

By:
Günter Ollmann
June 1, 2016

Governments and businesses that have traditionally relied upon deep packet inspection (DPI) or content-level inspection technologies to identify threats or control access across the perimeter of their networks are at the cusp of a dramatic and non-reversible sea change. Month on month organizations have observed the silent shift to encrypted communications, and with that, their visibility and control of network traffic has incrementally diminished.

As the encryption of North-South corporate network traffic reaches levels of 60% or more in most environments, organizations are finding themselves in the uncomfortable position of having to plan for the abandonment of the DPI-based perimeter defenses they’ve depended upon for a decade and a half. It would seem that IDS, IPS, DLP, and ADS are rapidly turning dark.

Many organizations are revisiting SSL termination technologies as a means of countering the increased use of encrypted communications and providing a keyhole through which they can extend the life and usefulness of earlier DPI investments.

Unfortunately, I don’t think this approach will provide the longevity many are hoping for.

Much of the “encryption problem” enterprises are facing can be attributed to the likes of Google, Yahoo, and social media sites uniformly adopting HTTPS for all web browser communications. While much of the data searched for, viewed, or commented upon generally does not leak any personal information of the users using these services, in some cases it could – and in some countries with more authoritarian governments, five years or so ago, the biggest web businesses chose to enforce HTTPS to protect everyone. Today businesses are publicly chastised if they don’t offer encryption by default.

The purpose of HTTPS is to protect HTTP traffic from inspection and modification by intermediaries. The use of SSL terminators to “man in the middle” (MITM) user traffic obviously stands counter to why the biggest and most popular Internet service providers have universally adopted HTTPS by default.

What many organizations seeking to leverage SSL Terminators have failed to understand is that there are a bunch of new extensions to web browser technologies that are in the process of being adopted and, within a short period of time, will permanently shut down that inspection window.

The first and most important is HTTP Public Key Pinning (HPKP). What this security feature does is to inform the web browser to associate a specific cryptographic public key with a certain web server; thereby preventing MITM attacks with forged certificates. The web server provides a list of public key hashes so that the web browser can check to ensure that the encryption certificate it is being served is actually one authorized by the web server they want to communicate with. This allows the user’s web browser to determine whether communications are being intercepted and choose to carry on or not.

The second important security extension is HTTP Strict Transport Security (HSTS). This allows the Internet server to prevent protocol downgrade attacks and cookie hijacking, and dictates to a conforming browser that this and all subsequent connections (for a configurable amount of time) to the subject site should only be performed over SSL. In addition, users are no longer permitted the capability to bypass SSL/TLS certificate errors; preventing browser click-through in the event of expired or otherwise untrusted certificates.

While HPKP and HSTS are not universally deployed and enforced yet, they are built in to the current generation of web browser technologies, and it will only be a short period of time before they – just like the universal enforcement of HTTPS before it – are universally deployed. Already today, some top-level domains such as .trust (see the .trust technical policy) and .bank mandate their use.

What starts with web browsers will rapidly trickle down to all other desktop applications within corporate networks.

SSL Termination may, with a little luck, extend the lifetime of DPI-based protection technologies by an additional couple of years for non-web browser traffic inspection. However, organizations should already be evaluating alternative network security technologies that can detect threats whether or not they are over encrypted channels.

Math intensive machine learning and advanced signal processing techniques are currently at the forefront of the battle. They are capable of keeping up with today’s traffic speeds and detecting threats despite increasing (or eventual ubiquity of) encryption of the content-layer.

About the author

Günter Ollmann

Günter Ollmann is CSO of the cloud and AI security devision at Microsoft and an advisor for Vector AI with experience multiple CSO and advisor positions.

Most recent blog posts from the same author

Security operations

Security automation isn't AI security

January 17, 2017
Read blog post
Cybersecurity

InfoSec skills shortage: The No. 1 threat to Internet security

November 15, 2016
Read blog post
Infrastructure

Exploiting the firewall beachhead: A history of backdoors into critical infrastructure

September 28, 2016
Read blog post